Bug 28093

Summary: tomcat new security issue CVE-2021-24122
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, geiger.david68210, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: tomcat-9.0.39-1.mga7.src.rpm CVE: CVE-2021-24122
Status comment:

Description David Walser 2021-01-14 18:43:42 CET 
Apache has issued an advisory today (January 14):
https://www.openwall.com/lists/oss-security/2021/01/14/1

The issue is fixed upstream in 9.0.40:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40

It only affects serving files from NTFS filesystems, so it's a minor issue.
Comment 1 David GEIGER 2021-01-25 07:44:35 CET 
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2021-01-25 17:10:24 CET 
Advisory:
========================

Updated tomcat package fixes security vulnerability:

When serving resources from a network location using the NTFS file system it
was possible to bypass security constraints and/or view the source code for
JSPs in some configurations. The root cause was the unexpected behaviour of the
JRE API File.getCanonicalPath() which in turn was caused by the inconsistent
behaviour of the Windows API (FindFirstFileW) in some circumstances
(CVE-2021-24122).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.39-1.1.mga7
tomcat-admin-webapps-9.0.39-1.1.mga7
tomcat-docs-webapp-9.0.39-1.1.mga7
tomcat-jsvc-9.0.39-1.1.mga7
tomcat-jsp-2.3-api-9.0.39-1.1.mga7
tomcat-lib-9.0.39-1.1.mga7
tomcat-servlet-4.0-api-9.0.39-1.1.mga7
tomcat-el-3.0-api-9.0.39-1.1.mga7
tomcat-webapps-9.0.39-1.1.mga7

from tomcat-9.0.39-1.1.mga7.src.rpm

Assignee: java => qa-bugs

Comment 3 Brian Rockwell 2021-02-06 03:33:26 CET 
$ uname -a
Linux linux.local 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The following 8 packages are going to be installed:

- tomcat-9.0.39-1.1.mga7.noarch
- tomcat-admin-webapps-9.0.39-1.1.mga7.noarch
- tomcat-docs-webapp-9.0.39-1.1.mga7.noarch
- tomcat-el-3.0-api-9.0.39-1.1.mga7.noarch
- tomcat-jsp-2.3-api-9.0.39-1.1.mga7.noarch
- tomcat-lib-9.0.39-1.1.mga7.noarch
- tomcat-servlet-4.0-api-9.0.39-1.1.mga7.noarch
- tomcat-webapps-9.0.39-1.1.mga7.noarch


works as designed.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 4 Aurelien Oudelet 2021-02-06 16:54:19 CET 
Validating.
Advisory pushed to SVN.

CVE: (none) => CVE-2021-24122
CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 5 Aurelien Oudelet 2021-02-07 18:17:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0072.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 Mageia Robot 2021-02-08 18:59:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0072.html